How to respond to the Final Omnibus HIPAA Rule

March 2013

At a glance

The Final HIPAA Omnibus Rule calls for changes to privacy and security requirements that healthcare organizations should address, especially where current practices and processes could be less effective and expensive to build and maintain, inviting risk.

Organizations that simply address the Final Omnibus HIPAA Rule without taking into account the other privacy and security requirements are at risk of creating a patchwork of processes and controls that will ultimately prove less effective and unnecessarily expensive to build and maintain.

The Final HIPAA Rule has a number of significant changes, and among other things:

strengthens and expands the scope of the HIPAA privacy and security rules

increases penalties for HIPAA violations

extends potential liability and requirements for business associates and subcontractors

creates a new presumption that a reportable compromise has occurred under HIPAA’s federal notification law for breaches of protected health information (PHI) unless a new, specific assessment can demonstrate "little probability."